Transcription

1 POLICIES Campus Data Security Policy Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central Policy Statement Policy In the course of its operations, Minot State University (MSU) collects and maintains restricted data about students, employees, donors, vendors, and others. This policy governs the use, control, and access to restricted data defined by statute, regulation, contract, license, or definitions within this policy. University data must be protected against threats such as malicious misuse, unauthorized intrusions, and/or inadvertent compromise. Each MSU department and employee is responsible for the integrity and security of University data used, controlled, or accessed within their area. This policy establishes parameters for protection of University data, not the medium or application that the data resides in. This policy aligns with other established policies and procedures for data security and NDUS Procedure Computer and Network Use. Prior to use of restricted University data via laptop computer or other electronic portable data device, employees are responsible for obtaining appropriate protections for such computers or portable devices, or for verifying that such protections are already in place. The use of unprotected equipment to access or store University data is prohibited, whether or not the equipment is owned or controlled by the University. Responsibilities The Director of Information Technology (IT) is responsible for implementing appropriate data security policies, procedures, and technology standards (i.e. hardware and software) for the University. MSU employees are responsible for protecting restricted University data to which they have access. Data security standards and procedures are posted at Department heads are responsible for insuring their employees have knowledge of and access to MSU data security standards and

2 procedures. This responsibility extends to data accessed on University office equipment, as well as personally owned equipment on which restricted University data is stored or manipulated. Purpose The Minot State University is committed to maintaining the confidentiality of all restricted University data. The purpose of this policy is to establish classifications for University data and a framework to preserve the integrity of all University data, regardless of the hardware, systems, etc. where the data may reside in or be accessed from. Definitions Data Steward Encryption University officials and agents of the University who have designated duties for collection, input, and maintenance responsibilities for data within their functional area. Programs and measures to encode information such that it cannot be decoded and read without knowing an appropriate key. Transforming information using a secret key so that the information is unintelligible to unauthorized parties. ERP System Internal/Limited Access University Data Network Any centralized data storage or distribution system on campus. Enterprise Information Systems are managed by ITD. Data that would not expose the University to loss if disclosed, but should be protected. Internal/limited access University data includes, but is not limited to, operational data likely to be distributed across organizational units within the University. Any number of computers and portable devices joined together by a physical or wireless communications link that allows information to be passed between computers, irrespective of where those computers are located. Networks provide the

3 pathways for information traffic and allow employees to access databases and share applications residing on servers. Personally Identifiable Information (PII) Portable Devices or Media Public University Data Restricted University Data Server Data that can be used to uniquely identify an individual. Portable devices include laptops, Personal Digital Assistants (PDA), or any other portable technology hardware. Media includes technology storage mediums such as CDs, DVDs, magnetic tapes, floppy disks, external hard drives, and universal serial bus (USB) drives, or any other portable data storage media. Data available within the University community and to the general public. Data protected by federal or state law or regulations, or by contract. Restricted University data includes, but is not limited to, data that is protected by the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), or the Gramm-Leach Bliley Act (GLBA). An application or hardware that performs services for connected clients as part of a client server architecture. Procedures General Security Data security procedures, technology standards, and best practices can be found at Employees are responsible for insuring that appropriate security controls in accordance with published University standards are installed on their office and personal/home computers or any portable devices or media on which restricted University data is stored or accessed. Restricted University data must be protected against physical theft or loss, electronic invasion, or unintentional exposure through a variety of personal and technical means. All University computers must have recommended operating

4 system patches and updates installed, updated antivirus and antispyware tools installed, and firewalls turned on. Personal passwords are established and secured by employees. Passwords are not to be disclosed or shared. IT Central is responsible for the security of all Enterprise Information Systems across campus including ImageNow, Active Directory, Exchange and calendaring system, Sharepoint, and Blackboard learning management system. IT Central will audit servers, computers, and portable devices or media with restricted data for compliance with policies and standards and will deny network access for servers, computers, and portable devices or media out of compliance. Remote Access Home Computers Remote access to restricted University data is available only to authorized employees. Employees must be authenticated to access restricted University data remotely. Data must be encrypted during transit. Home computers that are used to access, store, or transmit restricted University data should use current security patches, updated antivirus and antispyware software, and encryption. In instances where standard security precautions are not free, the employee will incur all costs for security of their home computer. Employees are responsible for deleting all restricted University data from their computer upon termination of employment. Portable Devices or Media Each user in the possession of restricted University data is responsible for protecting the data, regardless of the portable devices or media the data resides on. Restricted University data may not be loaded onto any portable device or media unless protective measures are implemented that safeguard the confidentiality and integrity of the data in the event of theft or loss. Protective measures must be implemented before restricted University data is installed. Restricted University data stored on portable devices or media must be encrypted. The University's data encryption standard is located at

5 Equipment Disposal Failure to Comply with this Policy University-owned computers and portable devices or media must have all confidential and official university data erased from the computer or portable device or media prior to its transfer out of University control, and/or destroyed, using University standards for inventory disposal. Failure to comply with current data security procedures may result in limiting or denying access to University data resources. If, upon investigation, the lack of compliance appears to have been willful and deliberate, disciplinary action may be taken. IT Central and NDUS Policies available from should be reviewed at the beginning of each academic semester by all users who have access to restricted University data.

Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating to all users of UNH IT resources, and improve the availability

Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:

Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information

Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the

Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

Mobile Working and Remote Access Policy Version 1.0 Date: 20 July 2009 Document History Version History 1.0 20 July 2009 Approved for publication by the IS Board after E&FC approval in June 2009 Title:

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information

hecklist of Requirements for Protection of Restricted ata ollege of Medicine epartments (v 03/2014) These requirements must be met to comply with U data protection policies, including HIPAA Policies and

Circular 16 March 2010 Circular to All Licensed Corporations on Information Technology Management In the course of our supervision, it has recently come to our attention that certain deficiencies in information

PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent

FINANCE AND TREASURY POLICIES AND PROCEDURES E071 CREDIT CARD PROCESSING & SECURITY POLICY PURPOSE The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to

Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval